Privacy Policy — Growth Advisor by Menture

Intuit & Xero OAuth Compliance: This Privacy Policy satisfies all five required Intuit App Assessment elements: (1) Data Minimization, (2) Data Retention & Deletion, (3) No Third-Party Data Sale, (4) Security Standards (TLS 1.2+ / AES-256), and (5) User Rights & Deletion Method.

1. Introduction

Menture Inc. ("Company," "we," "us," or "our") operates menture.ai and the Menture platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service, including when you connect your QuickBooks Online or Xero accounting account.

By using the Service, you agree to this Privacy Policy. If you do not agree, please do not access or use the Service.

2. Information We Collect

2.1 Information You Provide Directly

Account registration details (name, email address, company name)
Billing information (processed securely by our payment provider)
Support requests and communications

2.2 Information Collected via QuickBooks Online (Intuit) Integration

When you authorize Menture to connect to your QuickBooks Online account, we access only the data scopes necessary to provide the Service. We request only the scope com.intuit.quickbooks.accounting and nothing beyond that authorization.

Profit & Loss (P&L) report data including income and expense account balances
Chart of Accounts structure (account IDs, account types, account names)
Company name and basic organization metadata

We do not access payment card data, payroll records, employee information, or any QuickBooks scope outside of com.intuit.quickbooks.accounting.

2.3 Information Collected via Xero Integration

When you authorize Menture to connect to your Xero organization, we access only the following minimum required scopes:

accounting.reports.read — to retrieve Profit & Loss and financial report data
accounting.settings.read — to read Chart of Accounts and organization settings
openid, profile, email — to authenticate your identity
offline_access — to maintain the connection without requiring re-login every 30 minutes

We do not request full accounting access, transaction write access, or any Xero scope beyond those listed above.

2.4 Automatically Collected Technical Data

Log data (IP address, browser type, pages visited, access timestamps)
Device information (operating system, device type)
Usage analytics (features used, session duration — aggregated and anonymized)
Session cookies required for authentication and security (see Section 8)

3. Data Minimization and Purpose Limitation

Intuit Required Section — This section must be explicitly present and must not be removed or merged.

Menture Inc. is committed to data minimization. We only request access to the specific accounting data scopes necessary to provide the Menture services, and we do not access or store sensitive user credentials such as usernames or passwords.

We request only the minimum OAuth 2.0 scopes required for the features you use.
We do not access QuickBooks or Xero data beyond what is necessary to generate your requested reports and analysis.
We do not use your financial data for any purpose other than providing the Service you have subscribed to.
We do not store raw transaction data beyond the period necessary to fulfill your request.

4. How We Use Your Information

We use the information we collect only for the following purposes:

To provide, operate, and maintain the Service
To connect your QuickBooks Online or Xero account and retrieve authorized financial report data
To generate Profit & Loss mappings, analyses, and dashboards within the Service
To send transactional communications (account confirmations, security alerts, product updates)
To respond to your support inquiries
To improve and maintain the security and reliability of the Service
To comply with applicable legal and regulatory obligations
To detect, prevent, and address fraud and security incidents

5. Third-Party Sharing and Data Sale Prohibition

Intuit Required — Critical. This is the #1 reason Intuit rejects applications. This language must appear explicitly.

Menture Inc. does not sell, rent, or lease our customer lists or any financial data retrieved via the QuickBooks API or Xero API to third parties for marketing, advertising, or any other commercial purpose.

We do not share your personal information or financial data with third parties except in the following strictly limited circumstances:

Service Providers: Trusted vendors who assist in operating the Service (cloud hosting, analytics) under confidentiality agreements that prohibit them from using your data independently.
Legal Requirements: If required by law or valid legal process (e.g., court order or government request).
Business Transfers: In the event of a merger or acquisition, with notice before data is transferred.
With Your Explicit Consent: Only if you have separately and explicitly consented to a specific disclosure.

6. Data Retention and Deletion

Intuit Required — Must include a specific reachable method (email or form) for data deletion requests.

6.1 Retention Period

We retain your account information and connected financial data for as long as your account is active. If you close your account, we will delete or anonymize your personal data within 30 days, except where required by law or regulation.

6.2 QuickBooks and Xero Report Data

Financial report data retrieved from QuickBooks Online or Xero is retained only as long as necessary to deliver the requested report or analysis. Cached data is purged on a rolling basis and is not stored indefinitely.

6.3 Your Right to Request Deletion

You may revoke API access to QuickBooks Online at any time via your Intuit account settings at https://accounts.intuit.com. You may revoke Xero access via your Xero My Apps page at https://go.xero.com/myxero/app-connections.

Upon written request to support@menture.ai, we will delete all cached QuickBooks and Xero data within 30 business days. You may also submit a request via our Data Deletion page: menture.ai/data-deletion.

7. Data Security

Intuit Required — Must explicitly name TLS 1.2+ and AES-256. Vague security language is rejected.

All data retrieved via the Intuit OAuth 2.0 gateway and the Xero OAuth 2.0 gateway is encrypted in transit using TLS 1.2 or higher. All data stored on our servers — including OAuth access tokens, refresh tokens, and cached financial report data — is encrypted at rest using industry-standard AES-256 encryption.

Additional security measures include:

OAuth 2.0 Authorization Code Flow — we never store your QuickBooks or Xero username or password
Refresh token rotation — tokens are rotated on every refresh cycle to minimize leakage risk
Role-based access controls — financial data accessible only to authenticated, authorized users
Regular vulnerability assessments and security audits
Incident response procedures for potential data breaches, including regulatory notification as required

8. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service:

Session Cookies (required): Enable login, authentication, and security features
Preference Cookies: Remember your settings across sessions
Analytics Cookies: Help us understand usage using aggregated, anonymized data

You may configure your browser to refuse cookies. Disabling session cookies will prevent login. We do not use cookies for cross-site advertising or behavioral tracking.

9. Your Privacy Rights

9.1 All Users

Access: Request a copy of personal data we hold about you
Correction: Request correction of inaccurate information
Deletion: Request deletion of your personal data (see Section 6.3)
Portability: Request your data in a structured, machine-readable format
Objection: Object to certain processing activities

9.2 California Residents (CCPA / CPRA)

You have the right to know what personal information we collect, the right to delete it, and the right to opt-out of the sale of personal information. We do not sell personal information. We will not discriminate against you for exercising your rights.

9.3 Canadian Residents (PIPEDA / Quebec Law 25)

You have the right to access and correct your personal information, to withdraw consent, and to file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca).

9.4 EEA / UK Residents (GDPR / UK GDPR)

You have additional rights including the right to lodge a complaint with your local supervisory authority. Our legal bases for processing are: (a) contract performance, (b) legitimate interests, and (c) your consent where applicable.

10. Children's Privacy

The Service is not directed to individuals under 18. Menture Inc. does not knowingly collect data from children under 18. If we discover such collection, we will delete the data immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will post the updated version on this page with a new effective date. For material changes, we will provide additional notice such as email notification. Continued use of the Service after changes constitutes acceptance.

12. Contact and Data Requests

Menture Inc.

Privacy Email: privacy@menture.ai

Support Email: support@menture.ai

Mailing Address: 5000 Yonge Street, Suite 1901, Toronto, Ontario M2N 7E9, Canada

Data Deletion Page: menture.ai/data-deletion

Support Page: menture.ai/support